search

canonical / charm-openstack-service-checks

Collection of Nagios checks and other utilities that can be used to verify the operation of an OpenStack cluster
0 stars 2 forks source link

Openstack user "nagios" doesn't have permissions to run check_octavia.py #165

Closed mastier closed 3 months ago

mastier commented 3 months ago

This is contination of bug: https://bugs.launchpad.net/charm-openstack-service-checks/+bug/1962782

The openstack user stored in /var/lib/nagios/nagios.novarc doesn't seem to have enough privilege to run check_octavia.py To reproduce please try running the check manually like below:

root@juju-8d8c5a-4-lxd-17:/etc/nagios/nrpe.d# /usr/local/lib/nagios/plugins/check_octavia.py --check amphorae
Traceback (most recent call last):
  File "/usr/local/lib/nagios/plugins/check_octavia.py", line 358, in <module>
    main()
  File "/usr/local/lib/nagios/plugins/check_octavia.py", line 352, in main
    status, message = process_checks(args)
  File "/usr/local/lib/nagios/plugins/check_octavia.py", line 293, in process_checks
    return nagios_exit(args, checks[args.check](connection))
  File "/usr/local/lib/nagios/plugins/check_octavia.py", line 203, in check_amphorae
    items = list(lb_mgr.amphorae())
  File "/usr/lib/python3/dist-packages/openstack/resource.py", line 1693, in list
    exceptions.raise_from_response(response)
  File "/usr/lib/python3/dist-packages/openstack/exceptions.py", line 234, in raise_from_response
    raise cls(
openstack.exceptions.HttpException: HttpException: 403: Client Error for url: https://octavia.oam.prd.infra.client.net:9876/v2.0/octavia/amphorae, Forbidden

For workaround one may give the load balancer roles manually to the nagios user

ubuntu@app1maas001p:~$ NAGIOS_USER_ID=$(openstack user list --domain service_domain | grep nagios | awk '{print $2}')
ubuntu@app1maas001p:~$ openstack role add --domain service_domain --user $NAGIOS_USER_ID load-balancer_member
ubuntu@app1maas001p:~$ openstack role add --project-domain service_domain --project services --user $NAGIOS_USER_ID load-balancer_member
ubuntu@app1maas001p:~$ openstack role add --domain service_domain --user $NAGIOS_USER_ID load-balancer_admin
ubuntu@app1maas001p:~$ openstack role add --project-domain service_domain --project services --user $NAGIOS_USER_ID load-balancer_admin
Pjack commented 3 months ago

Duplicated issued with #137